30 July, 2004

* Microsoft's Security Laws: Rebuttal - From Bruce MacDonald

The following is from a newsletter I subscribe to and I am not the author or the writer of the newsletter. -- WP

-------------------------------------------------------------------------------------

W2Knews[tm] Electronic Newsletter
Vol. 9, #30 Aug 2, 2004 - Issue #486
Published by sunbelt-software.com since 1996 - ISSN: 1527-3407
~ The secret of those "who always seem to know" ~
**********************over 300,000 Readers***********************

* Microsoft's Security Laws: Rebuttal

In the last Stu's News (company newsletter for Sunbelt customers) I published Microsoft's 10 Security Laws and got an earful of feedback. [grin] Bruce MacDonald, who is an Information Technology Manager sent me this. Quite interesting and humorous reading actually! (You can subscribe to Stu's News over here, it's a monthly):

http://www.w2knews.com/rd/rd.cfm?id=040802TB-Stus_News

"Stu, Here is my feedback on Microsoft's laws.

Law #1: If a bad guy can persuade you to run his program on your computer, It's not your computer anymore.

REBUTTAL #1: If an operating system writer sells an operating
system that permits this, then the OS writer is an accomplice.

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

REBUTTAL #2: If the writer of that operating system make "everyone: Full control" the default security setting, then the OS writer is an accomplice and should be liable for any damage thus caused.

Law #3: If a bad guy has unrestricted physical access to your
computer, It's not your computer anymore.

REBUTTAL #3: If ANYONE other than yourself and trusted individuals has unrestricted physical access to your computer, then you are a fool and deserve what you get.

Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.

REBUTTAL #4: If someone pretending to be a good guy does the same thing, they become the bad guy.

Law #5: Weak passwords trump strong security.

REBUTTAL #5: Once again, Microsoft reveals an astonishing degree of hypocrisy by making this a 'law'. Installing Windows XP Pro does not even prompt for an administrator password, let alone force even basic password common sense. If Microsoft did their job properly, it would be impossible to create a weak password.

Law #6: A machine is only as secure as the administrator is trustworthy.

REBUTTAL #6: This is a universal security law, not a computer or technological one. Stating the obvious.

Law #7: Encrypted data is only as secure as the decryption key.

REBUTTAL #7: I guess they wanted 10 laws really bad. This is stating the obvious again.

Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

REBUTTAL #8: No existing virus scanner is of any use whatsoever against previously unknown viruses. At the vary basis of system design, it should be totally impossible to introduce an executable piece of code, without putting the machine deliberately into an 'installation mode'.

In such a mode, only specially designated installation programs would run. Nothing could ever execute unless first "blessed" by such an installer. A separate "execution" mode would not permit installers to run. A further "developer" mode would permit both, but would be restricted to running developer tools. Such an operating system would be relatively easy to implement, and no malware could then exist.

Law #9: Absolute anonymity isn't practical, in real life or on the Web.

REBUTTAL #9: Bullsh!t. Microsoft threw this in 'cuz they want people become less protective of their privacy. Presumably so that Microsoft can profit by exploiting it. This statement is detestable. By throwing the word 'absolute' in there, they make their statement true, but its intent is sinister. I see a day coming when all content generated for use outside the confines of the computer that created it will be required to be digitally signed by its originator, and further by each distributor as it travels the internets of the world, and all accesses of private systems will require prior permission, whereas access to public systems will still be permissible anonymously. In Canada (I don't know about the US) trespass on another's land is a tort (a civil case), but peeking in their windows is a criminal offense (the equivalent in the US of a felony). Microsoft, and many other internet entities, by using information found on my computer without my permission commit the same offence. The only difference is that it is copper, not glass, that they are peeking through.

Law #10: Technology is not a panacea. (noun: hypothetical remedy for all ills or diseases; once sought by the alchemists)

REBUTTAL #10: LOL - and they finish off by stating the obvious once again.

I'll finish off with a law of my own:

MacDonald's Law: Every communication originating from a corporation is self-serving, and contains deceptions, misdirections and outright falsehoods. Corollary: The purpose of the deception is to mine your pockets. You have been warned."

-------------------------------------------------------------------------------------

Nonetheless, I do not agree with all of the so-called Microsoft "laws", or Mr. MacDonald's rebuttals. I do think this is well worth the zeros and ones- oh, and the read.

--WP

No comments: